From a1897fd3b1945970c18dab83d30d110e401844ca Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 2 Mar 2021 22:02:31 +0100 Subject: [PATCH] luks_device: add sector_size option (#193) * Add sector_size option to luks_device. * Trying to improve error handling. * Improve error handling. --- changelogs/fragments/193-luks_device-sector_size.yml | 2 ++ plugins/modules/luks_device.py | 12 +++++++++++- .../targets/luks_device/tasks/tests/passphrase.yml | 9 ++++++--- 3 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 changelogs/fragments/193-luks_device-sector_size.yml diff --git a/changelogs/fragments/193-luks_device-sector_size.yml b/changelogs/fragments/193-luks_device-sector_size.yml new file mode 100644 index 000000000..106abb9ca --- /dev/null +++ b/changelogs/fragments/193-luks_device-sector_size.yml @@ -0,0 +1,2 @@ +minor_changes: +- "luks_device - allow to specify sector size for LUKS2 containers with new ``sector_size`` parameter (https://github.com/ansible-collections/community.crypto/pull/193)." diff --git a/plugins/modules/luks_device.py b/plugins/modules/luks_device.py index 3749e0a98..9b687b402 100644 --- a/plugins/modules/luks_device.py +++ b/plugins/modules/luks_device.py @@ -211,6 +211,12 @@ run in parallel. - This is not used for PBKDF2, but only for the Argon PBKDFs. type: int + sector_size: + description: + - "This option allows the user to specify the sector size (in bytes) used for LUKS2 containers." + - "Will only be used on container creation." + type: int + version_added: '1.5.0' requirements: - "cryptsetup" @@ -452,7 +458,7 @@ def _add_pbkdf_options(self, options, pbkdf): if pbkdf['parallel'] is not None: options.extend(['--pbkdf-parallel', str(pbkdf['parallel'])]) - def run_luks_create(self, device, keyfile, passphrase, keysize, cipher, hash_, pbkdf): + def run_luks_create(self, device, keyfile, passphrase, keysize, cipher, hash_, sector_size, pbkdf): # create a new luks container; use batch mode to auto confirm luks_type = self._module.params['type'] label = self._module.params['label'] @@ -471,6 +477,8 @@ def run_luks_create(self, device, keyfile, passphrase, keysize, cipher, hash_, p options.extend(['--hash', hash_]) if pbkdf is not None: self._add_pbkdf_options(options, pbkdf) + if sector_size is not None: + options.extend(['--sector-size', str(sector_size)]) args = [self._cryptsetup_bin, 'luksFormat'] args.extend(options) @@ -759,6 +767,7 @@ def run_module(): ), mutually_exclusive=[('iteration_time', 'iteration_count')], ), + sector_size=dict(type='int'), ) mutually_exclusive = [ @@ -806,6 +815,7 @@ def run_module(): module.params['keysize'], module.params['cipher'], module.params['hash'], + module.params['sector_size'], module.params['pbkdf'], ) except ValueError as e: diff --git a/tests/integration/targets/luks_device/tasks/tests/passphrase.yml b/tests/integration/targets/luks_device/tasks/tests/passphrase.yml index d91bb8c6c..f3b5e506b 100644 --- a/tests/integration/targets/luks_device/tasks/tests/passphrase.yml +++ b/tests/integration/targets/luks_device/tasks/tests/passphrase.yml @@ -4,19 +4,22 @@ device: "{{ cryptfile_device }}" state: closed passphrase: "{{ cryptfile_passphrase1 }}" + type: luks2 pbkdf: iteration_time: 0.1 algorithm: argon2i memory: 1000 parallel: 1 + sector_size: 1024 become: yes ignore_errors: yes register: create_passphrase_1 -- name: Make sure that the previous task only fails because the LUKS version used cannot handle the PBKDF parameters +- name: Make sure that the previous task only fails if LUKS2 is not supported assert: that: - - create_passphrase_1 is not failed or 'Failed to set pbkdf parameters' in create_passphrase_1.msg + - "'Unknown option --type' in create_passphrase_1.msg" + when: create_passphrase_1 is failed - name: Create with passphrase1 (without argon2i) luks_device: @@ -26,7 +29,7 @@ pbkdf: iteration_time: 0.1 become: yes - when: create_passphrase_1 is failed and 'Failed to set pbkdf parameters' in create_passphrase_1.msg + when: create_passphrase_1 is failed - name: Open with passphrase1 luks_device: